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ABSTRACT 



A smart card for use in connection with execution of a 
software program by a computer includes a microcontroller 
configured by a program stored in a smart card memory to 
verify information received from the computer during 
execution of the software program. The microcontroller is 
further configured to cause a signal to be stored in the smart 
card memory which is indicative of whether execution of the 
software program is certified as valid based on results of 
verifying the received information. Methods of using the 
smart card arc also disclosed. 

49 Claims, 6 Drawing Sheets 
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VALIDATING AND CER17FYING 
EXECUTION OF A SOFTWARE PROGRAM 
WITH A SMART CAim 

BACKGROUND OF THE INVENTION 

The invention relates generally to validating and certify- 
ing execution of a software program with a smart card. 

The proliferation of computers, including the personal 
computer, has allowed a wide variety of tasks and functions 
to be performed more efficiently and quickly. In addition, 
computers have provided a new mode for providing 
entertainment, for example, in the gaming industry, where it 
is occasionally desirable to validate results obtained by a 
consumer. The continued reliance on computer systems 
depends, in part, on the ability of persons using such systems 
to be assured that software programs being executed by the 
computer are, in fact, producing reliable results. This 
requires, among other things, that persons who wish to rely 
on results generated by a computer executing particular 
software are assured that the software has not been altered 
in an unauthorized manner. Situations can arise in which a 
software program has been altered or modified in an unau- 
thorized manner, yet the alteration or modification may not 
always be capable of being easily detection by the user of the 
program. Such unauthorized alterations can result, for 
example, in the program's producing erroneous results. It 
may also allow unauthorized persons to use the software or 
may cause damage to the local computing environment. 
Moreover, such modifications of the computer program may 
result in proprietary information being sent to unauthorized 
third parties. 

SUMMARY OF THE INVENTION 
In general, in one aspect, the invention features a method 
of validating execution of a software program. The method 
includes executing the software program on a computer, 
sending information from the computer to a smart card 
during execution of the software program, verifying in the 
smart card information received from the computer, and 
storing a signal in the smart card indicative of whether 
execution of the software program is certified as valid. 

In another aspect, the method of validating execution of 
a software program includes executing the software program 
on a computer, verifying in a smart card information 
received from the computer during execution of the software 
program, and generating a signal in the smart card indicative 
of whether execution of the software program is certified as 
vaHd. 

In yet a further aspect, the invention features a smart card 
for use in connection with execution of a software program 
by a computer. The smart card includes communication 
circuitry for receiving information from a location external 
to the smart card and for transmitting information from the 
smart card to the external location. The smart card further 
includes a memory which stores data and a smart card 
program. In addition, the smart card includes a microcon- 
troller configured by the smart card program to verify 
information received from the computer during execution of 
the software program and to cause a signal to be stored in the 
memory. The signal is indicative of whether execution of the 
software program is certified as valid based on results of 
verifying the received information. 

The invention also includes a software package including 
a computer readable medium, which stores a software pro- 
gram for execution by a computer, and a smart card, such as 
the smart card described above and discussed in greater 
detail below. 
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Various implementations of the invention include one or 
more of the following features. Different types of informa- 
tion can be sent to the smart card. The information can 
include, for example, an identifier indicative of a point in the 
5 software program at which the information was sent to the 
smart card, information indicative of the current state of the 
software program, or the current value of a variable used in 
the software program. The smart card can perform one or 
more verification tests in response to the information 
received from the computer. For example, the smart card can 
chedc whether the identifier is correct, whether the current 
value of the variable is accurate, or whether the cunent value 
of the variable falls within a prescribed range. The infor- 
mation sent by the computer can also identify memory 
addresses in the computer in which specified data is stored, 
and the smart card can verify whether the memory addresses 
are permissible memory locations for the specified data. 

One or more control values can be sent from the smart 
card to the computer in response to verifying the information 
received from the computer. A control value can be used to 
determine when subsequent information will be sent from 
the computer to the smart card during execution of the 
software program. Tht smart card can determine whether the 
software program responds correctly to the one or more 
control values. The frequency with which the computer 
sends information to the smart card can depend upon the 
control values. The smart card can also verify that the order 
in which information is received from the computer is 
correct. 

3Q In various implementations, the smart card can determine 
whether the frequency with which routines in the software 
program are called is within acceptable ranges. Similarly, 
the smart card can determine whether a duration of time 
between successive calls to the smart card by the computer 

35 during execution of the software program is within accept- 
able ranges. 

The smart card can store or generate a signal indicating 
that execution of the software program is certified as valid 
or indicating that the software program was not altered in an 

40 unauthorized manner prior to or during its execution. The 
signal can be stored or generated after completion of the 
software program. In certain implementations, such a signal 
is stored only if all of the verification tests are satisfied. The 
signal indicative of whether execution of the software pro- 

45 gram is certified as valid can be retrieved from the smart 
card. Additionally, the microcontroller can be configured to 
cause a signal indicative of whether execution of the soft- 
ware program is certified as valid to be generated in response 
to a query generated externally to the smart card. 

50 The microcontroller in the smart card can be suitably 
configured to perform the various functions so as to provide, 
in response to the proper execution of the program by the 
computer, a signal which indicates that execution of the 
software program is certified as vahd or which indicates that 

S5 the software program was not altered in an unauthorized 
manner prior to or during execution of the software program. 

In an additional aspect, the invention includes a method of 
tracking the amount of usage of a software program 
executed by a computer. The method includes executing the 

60 software program on a computer, sending information from 
the computer to a smart card during execution of the 
software program, and storing information in the smart card 
indicative of the number of times the software program has 
been executed. The smart card can also store information 

65 indicative of the frequency with which various software 
routines were caUed during execution of the software pro- 
gram. 
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In various implementations, the invention provides one or interactive display screen 16, or other devices which allow 

more of the following advantages. The invention makes it a person using the program to provide appropriate input data 

easier to detect whether any unauthorized modifications to or input signals to the computer 11. 

or tampering of the software program being executed by the The smart card 2 also has a device for communicating 6 

computer has occurred. The invention can also provide a s with the smart card reader or readerAvriter 12, In certain 

technique for validating and certifying the accuracy of implementations, the device for communicating 6 is elec- 

results obtained by the software program. Such detection t^ical circuitry which requires physical contact with pins in 

can be performed in a relatively low cost and secure manner. smart card reader/writer 12. Alternatively, electrical 

, . , ^ • .t_ ^ J i_ J * circuitry on the smart card 2 can use inductive couphng, 

In some implementations, the smart card can be used to ./ j- • i » ■ . .if 

, , c u i7 c ^t. * • in capacitive coupling or radio signals to communicate with the 

vary the extent of its probe of the computer program m j , 7, • ^- . _r j u 

, . r . . . jr .f reader/wnter 12. Commimication may be performed by a 

response to mformation previously received from the com- , , * i i u f 

5 , . ^. r ^, rm. .1. ^ J local area or wide area network, for example, by way of the 

puter during execution of the program. Thus, the smart card j , ^ . , • f* i 

^ . M . J ^_ . 1-j ... Internet or by a satellite communication link, 

can tailor the probe and subsequent validation tests to ^ , * . . , , . , 

provide a tamper resistant, yet efficient, technique for . ^he smart card 2 is issued by a particular vendor and is 

executing a computer program. 15 ^tended to be used m conjunction with a computer software 

, , . r- . program from the particular vendor. In one exemplary 

The mvention can also provide a technique for traclang ^^^^^^^ ^^^^ ^ ^^^j^ purchased as part of a 

the amount of use of a particular computer program. This ^^^^^^^ including computer software stored on a 

tracking or metermg can be used, for example, to charge computer-readable medium, such as a magnetic diskette, 

consumers for theu* usage of the computer program on a computer-readable medium can be inserted into a drive 

per-use basis. computer 11 which is capable of reading and 

Additional features and advantages wiU be readily appar- executing the software residing on the computer-readable 

cnt from the following detailed description, accompanying medium. In other situations, the software program can be 

drawings and claims. permanently stored in computer memory, such as read-only- 

25 memory (ROM). In still other situations, the smart card 



BRIEF DESCRIPTION OF THE DRAWINGS 



reader or readerAvriter 12 is at a different location from the 



satellite communication links or another suitable communi- 
cation means. 



DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 



FIG. 1 is an exemplary system in which the invention can computer 11 and communicates with the computer 11 by a 

be practiced. local area or wide area network, for example, by the Intemet, 

FIG. 2 is a flow chart illustrating a method according to 
one implementation of the invention. 

T-T/^ 1 • « u _* -11 * *• J J- * In eeneral, when a person wishes to use the software 

FIG. 3 is a flow chart illustrating a method according to ^ ' * .i. . j *i. - j ■ 

. 1 ^ r.u • *■ program on the computer, the smart card must be inserted in 

another implementation oi the invention. fv j , -.^ -j - r 

the readerAvriter 12. The computer 11 then provides infor- 

nCS. 4A-^B are a flow chart iUustrating a method ^^^^^ ^^^^^ ^^^^ ^^^^ ^^^^ 2 at selected points 

according to a further unplementation of the invention. ^^^^^^ execution of the software program. In certain 

FIG, 5 shows an exemplary computer program whose implementations, the computer 11 also receives information, 

execution can be certified by a smart card according to the data or instructions from the smart card 2. The information, 

invention. data or instructions generated by the smart card 2 can take 

various forms, including, for example, control values. Based 
40 upon the information or data provided to the smart card 2, 
the smart card can determine whether anyone has improp- 

FIG. 1 shows an exemplary system which includes a erly altered or tampered with the program being executed by 

smart card 2. Smart cards, also known as microprocessor the computer 11. The smart card 2 can thus determine the 

cards or chip-cards, are plastic cards approximately the size validity of the results generated by the program and can 

of a credit card embedded with an integrated circuit (IC) 45 certify the results as valid. 

chip. The chip stores information while protecting it from FIGS. 2-3, 4A and 4B are flow charts showing various 

unauthorized access. As shown in FIG. 1, the smart card 2 implementations of a method of validating the execution of 

includes a microcontroller 3. Software which controls the a particular software program according to the invention. As 

operations of the smart card 2 is stored in program memory shown by 100 in FIG. 2, the computer U begins to execute 

4 such as nonvolatile read-only memory (ROM). The micro- 50 the particular software program. Execution of the program 

controller 3 is appropriately configured by the program can begin, for example, when the computer 11 is powered 

residing in the program memory 4 to perform the various up^ when the user strikes a key on the keyboard 13, or when 

smart card functions described below. Data is stored in a some other triggering signal is received by the computer 11. 

data memory 5. In the smart card 2 shown in FIG. 1, the data As indicated by 102, the software program instructs the 

memory 5 includes an alterable nonvolatile memory, such as 55 computer to send certain information to the smart card 2 at 

electrically erasable programmable read-only memory a specified point during the program's execution. This 

(EEPROM). The data memory 5 also includes random information can include, for example, an identifier indicat- 

access memory (RAM). ing the point or line in the program which is executing the 

The system 1 further includes a terminal 10. The terminal contact to the smart card as well as information regarding the 

10 includes a computer or other processor, such as a personal 60 current state of the program. The information regarding the 

computer 11, which can execute, for example, a software current state of the program can include, for example, the 

program installed in the computer 11. A smart card reader or present value of a particular variable used in the program, 

reader/writer 12 is attached to and communicates with the This information is sent to the smart card 2 which verifies 

computer 11. The terminal 10 also includes a device for a the received information, for example, as accurate or within 

user to interact with the software program during its execu- 65 a prescribed range, as indicated by 104. The computer 

tion. Such a device can include, for example, one or more of completes execution of the program, as indicated by 106. If 

the following: a keyboard 13, a mouse 14, a joystick 15, an the information received by the smart card 2 is verified, then 
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the smart card 2 certifies, for example, that the executed If the one or more verification tests performed by the 

program was not tampered with or altered, as indicated by smart card 2 are satisfied, then the smart card 2 certifies, for 

108. example, that the executed program was not tampered with 

In certain implementations, the certification would be or altered, as indicated by 118. If, on the other hand, any 
provided by the smart card 2 only in response to a query s verification test is not satisfied, then the smart card 2 is 
from another party, such as the vendor of the software, programmed to generate and send a signal to the computer 
having access to the certification results stored in the smart instructing the computer 11 to interrupt and terminate execu- 
card 2. For example, a separate program, not available to the tion of the software program. Moreover, the smart card 2 
purchaser of the software package, can be required to access will not certify that the program executed by the computer 
the validation results in the smart card 2. Thus, validation 11 was not tampered with or altered, 
and certification data and programs should be stored in a piGS. 4A and 4B arc a flow chart showing yet a further 
secure manner on the smart card 2. In some applications, this implementation of the invention. As shown by 130, the 
may involve the use of special passwords, as weU as known computer 11 begins to execute the particular software pro- 
data encryption techmques. The software program instructs the computer 11 to 

FIG. 3 is a flow chart of another implementation of a verify that the proper smart card is inserted in the smart card 

method of validating the proper execution of a particular reader/writer 12, as indicated by 132. In one 

^software program according to the invention. As shown by implementation, for example, the smart card 2 can include a 

110, the computer H begins to execute the particular soft- .^^^^^^^ ^^^^^^ ^ ^^^^ ^ 5 ^^.^^ 

ware program. As indicated by 112, the soitwarc program u 7t. . n * i- *u j *u _* ^ 
. , ^ , ^ I • ■ f *• * *u by the computer 11 to venfy the identity of the smart card 
instructs the computer to send certain information to the --^ . • .l . j • • ^ j • .i. j / 
smart card 2 at a specified point during the program's 20 2. Assummg the proper smart card is inserted m the reader/ 
execution, lliis information can include, for example, an ^'^^^^ computer 11 sends certain m formation to the 
idenUfier indicating the point or line in the program which smart card 2 at a specified pomt during the program's 
is executing the contact to the smart card as well as infor- execution, as mdicated by 134. Again, this information can 
mation regarding the current state of the program. The include, for example, an identifier indicating the point or fine 
information regarding the state of the program can include, 25 i° the program which is executing the call to the smart card 
for example, the value of specified variables used in the as weU as information regarding the current state of the 
program being executed by the computer U. The informa- program. The information regarding the current state of the 
tion sent by the computer 11 to the smart card 2 can also program can include, for example, the values of one or more 
include a signal indicating whether the computer program specified program variables as well as a signal indicating 
has been completed. In response to the information sent by 30 whether execution of the software program has been com- 
the computer 11, the smart card 2 verifies the informafion pic ted. In various implementations, the information regard- 
received from the computer 11, as indicated by 114. Various ing the state of the program can also identify the memory 
types of verifications can be performed, including checking addresses in which specified data is stored in the computer 
whether received values are accurate or within expected 11. 

ranges. The microcontroller 3 in the smart card 2 can also be 35 As indicated by 136, in response to the information 

configured to check whether the computer 11 sent informa- received by the smart card 2, the smart card 2 verifies 

tion to the smart card 2 at the appropriate points or lines whether the received values of program variables are within 

during the computer's execution of the program. acceptable ranges of expected values. If the received values 

The smart card 2 determines whether execution of the are not verified, then, as indicated by 140, the smart card 
program by the computer 2 has been completed, as indicated 40 determines whether the computer 11 has completed execu- 
by 116. If the computer 2 has completed its execution of the tion of the software program. If the computer 11 has not 
program, and the verification test or tests performed in 114 completed execution of the program, then the smart card 
were satisfied, then the smart card 2 certifies, for example, generates a signal which it sends to the computer 11 instruct- 
that the executed program was not tampered with or altered, ing the computer 11 to interrupt and terminate the program, 
as indicated by 118. 45 as indicated by 142. On the other hand, if the computer 11 

Returning to 116, if the computer 2 has not completed its has completed executing the program, then, as indicated by 

execution of the program, the smart card 2 returns one or 144, the smart card 2 stores a retrievable data signal or 

more control values to the computer 11, as indicated by 120. electronic flag in its memory 5 indicating that the results of 

In some implementations, for example, the control values the executed program are not certified as true, accurate or 

are used by the software program being executed in the 50 otherwise reliable. 

computer 11 to determine when the computer 11 should next If, in 136, the smart card 2 verifies that the received values 

send information to the smart card 2. The computer 11 are within acceptable ranges, then, as indicated by 146, the 

continues to execute the program, as indicated by 122. At the smart card 2 determines whether the received information 

appropriate point during the continued execution of the represents the first call by the computer 11 to the smart card 

program, the computer 11 again sends information to the 55 2. If this present call is the first call to the smart card 2, then 

smart card 2 (112). The additional information can also the smart card determines whether execution of the software 

include an identifier indicating the point or line in the program by the computer 11 is completed, as indicated by 

program which is executing the contact to the smart card 2 148. The determination of whether execution of the program 

as well as information regarding the current slate of the is completed can be based, for example, on the signal sent 

program. The additional information can be the same or 60 by the computer 11 in 134. If execution of the program by 

different from the information previously sent to the smart the computer 11 is completed, then, as indicated by 162, the 

card 2 depending on the details of the software program smart card 2 stores a retrievable data signal or flag in its 

being executed by the computer 11 and any control values memory 5 indicating that the results of the executed program 

that may previously have been returned by the smart card 2, are certified as true, accurate or otherwise reliable. If execu- 

The smart card 2 verifies the received information (116). 65 tion of the program by the computer 11 is not completed. 

This cycle continues until execution of the program by the then the smart card 2 returns one or more control values to 

computer 11 is completed. the computer 11, as indicated by 164. Again, in certain 
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implementations, the control values can instruct the com- In FIG. 5, MONITOR is a control variable whose value 

puter at what subsequent point or line in the program the can be changed by the smart card 2 at certain points during 

computer should next send information to the smart card 2. execution of the program. CONTACT_SMART_CARD 

The computer U continues to execute the program, as instructs the computer 11 to generate a call to the smart card 

indicated by 166. At the appropriate point during the con- 5 2 and to send it specific information. The first argument of 

tinued execution of the program, the computer 11 again (he call CONTACT_SMART-CARD identifies to the smart 

sends additional information to the smart card 2, as indicated ^ard 2 which call it is receiving. In this example, the 

corresponding line number of the program which generates 

Returning to 146, if the smart card 2 determines that the the call to the smart card is used, 

present call to the smart card is not the first call to the smart j.^^ ^ ^^-^^^^ MONITOR 

card dunng the present execuUon of the program then, m ^ . ^ ^ .^^^^^ 

various unplementaUons, the smart card 2 can perform one ^^r 11 to read or retneve the value of a variable X 

or more of the followmg additional . venfication checks. As . | t« -x ih^ r^r^^^^u^r 11 

• J- . J ^*rr» L ^ J c L uom computer memory. In Ime 3, the computer 11 is 

indicated by 150, the smart card 2 can verify whether the . , , , f , ' ♦ , 1,,^ „f v « a 

, . /■ . 11 i_ t J * *u ^ J • mstructed to send the current value or X to the smart card. 

order m which calls have been made to the smart card is ^ ,t,;„ i- , fi^^t „™.™^«# 

, _ , . _ , r L ■'^ In this Ime of the program, the first argument m the call 

correct. TTie smart card 2 can also verify whether the ^^^^^^^ smart card 2 that the information it is 

software program executed by the computer 11 responds ^^^^.^j ^ 3 ^ 

correctly to the control values generated by the smart card, ° . . 

as indicated by 152. In addition, the smart card 2 can verify Line 4 of the program shown m FIG 5 instructs the 

whether the frequency with which alternative routines in the computer 11 to perform the next two Imes of the program for 

software program are called is within acceptable ranges, as ^^e variable I, where I takes on each of the values one 

indicated by 154. This feature can be useful, for example, through ten, successively. In Ime 5, if the current value of the 

when the execution history of the software program on the ^^i^^e I minus the current value of MONITOR equals 

computer 11 is determined by a random number such as in ^^^o, then the computer 11 is instructed to make another call 

various software programs in the game industry. „ to the smart card 2 and to send the current value of I to the 

Furthermore, as indicated by 156, the smart card 2 can verify ^mart card. In the illustrated example, the first caU in fine 5 

whether the memory addresses of particular data values or of the program would occur when I equals two. In response, 

computer instructions are correct or, alternatively, whether ^"^5 card 2 returns a value for the control variable 

the memory addresses are permissible memory locations for MONITOR which can be the same or different from the 

the particular data. The smart card 2 can also verify whether 3. ^^'^^ ^^1^^. °^ .^t ^^"^^^^ MONITOR. For purposes of 

the elapsed time between calls to the smart card 2 is within illustration, it will be assumed that the smart card 2 returns 

an expected range of values given the input data, as indi- ^ ^^^^ ^'^^^ ^^^^^^e MONITOR in response to 

cated by 158. ^^^1 »° 1^"^ ^• 

The smart card 2 determines whether each of the addi- In line 6 of the program shown in FIG. 5, a new value for 

Uonal verification tests performed in 150 through 158 is 35 the variable X is calculated and set equal to the previous 

satisfied, as indicated by 160. If any of the verification tests value of X plus the current value of the variable I. The 

is not satisfied, then the smart card program returns to 140. program will continue to increment the value of I and to 

The smart card 2 either generates a signal instructing the calculate corresponding new values of X. No additional calls 

computer 11 to interrupt and terminate the program being will be made to the smart card 2 until the variable I equals 

executed by the computer 11 (142), or, if the program 40 eight. When I is set to eight in line 4 of the program, the 

running on the computer 11 has already been completed, the computer 11 makes another call to the smart card 2 in line 

smart card 2 stores a retrievable data signal or flag in its 5 of the program. Assuming, for example, that the smart card 

memory 5 indicating that the results of the executed program 2 does not modify the value of the control variable MONI- 

are not certified as true, accurate or otherwise reUable (144). TOR in response to this call, then the program will continue 

Returning to 160, if all the verification tests performed in 45 increment the value of I and to calculate the correspond- 

150 through 158 are satisfied, then the program in the smart ^^^^^^ ^ ^"^^^ ^^^^^ the variable I is set to 

card 2 returns to 148 by which the smart card 2 determines t^n, and a final value of the variable X is obtained in Ime 6 

whether the program being executed by the computer 11 has program. 

been completed. As previously discussed, the determination In line 7 of the program shown in FIG. 5, the computer 11 
of whether execution of the computer program is completed 50 is instructed to make yet another call to the smart card 2 and 
can be based, for example, on the signal sent by the to send the smart card the current value of the variable X. In 
computer 11 in 134. Depending on whether the computer 11 response, the smart card 2 returns, for example, encrypted 
has completed executing the program, the smart card 2 cither data representing a certification that execution of the pro- 
stores a retrievable data signal or flag in its memory 5 gram by the computer 11 was not improperly altered if 
indicating that the results of the executed program are 55 various verification tests by the smart card were satisfied, 
certified as true, accurate or otherwise reliable (162) or The verification tests which the smart card 2 can perform 
returns one or more control values to the computer 11 (164) include the various types of verification tests discussed 
to allow the computer 11 to continue execution of the above. For example, the smart card 2 would verify that the 
program. computer 11 executed calls to the smart card 2 in the proper 
no. 5 Ulustrates an exemplary software program that, 60 order. Similarly, the smart card 2 would verify that received 
according to one implementation of the invention, can be values of the variables X and I were correct. In addition, the 
executed by the computer U in conjunction with the smart smart card 2 can probe the computer program to determine 
card 2 to validate and certify any results generated by the whether it responds the way the smart card 2 expects it to 
computer 11. The software program of FIG. 5 is intended to respond based on the values of the control variable MONI- 
illustrate various features and advantages of the invention 65 TOR returned to the computer 11. 
and is exemplary only. It is not, however, intended to limit In line 8 of the computer program in FIG. 5, the program 
the scope of the invention. writes the encrypted certification data to memory. The 
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encrypted certification data can be retrieved and decrypted at program is not satisfied, sending a signal from the smart 

a later time by a party holding the proper decryption key. card to cause terminating the execution of the software 

The computer program of FIG. 5 ends in line 10. program. 

In some implementations, the smart card 2 is configured 3. The method of claim 1 wherein verifying comprises 
by a program in the memory 4 to vary the values of the 5 checking whether the identifier is correct, 

control variable depending on the results of the verification 4. The method of claim 1 wherein the software program 

tests. For example, various verification tests can be designed is in a current slate, and wherein sending inforaiation 

to indicate whether received values are reasonable given the comprises sending information indicative of the current state 

input values or whether the received values fall within of the software program. 

acceptable limits. The results of such tests may indicate to lo 5. The method of claim 4 wherein the software program 

the smart card 2 that a more carefiil probing of the execution comprises a variable having a current value, and wherein 

of the computer program is necessary before providing sending information comprises sending the current value of 

certification. In such circumstances, the smart card 2 would the variable to the smart card. 

modify the control values to probe the execution of the 6. The method of claim 5 wherein verifying comprises 
program more frequently. Thus, with respect to the program 15 checking whether the current value of the variable is accu- 

in FIG. 5, the smart card 2 would, for example, return values ''^t^- 

of the control variable such that each time line 5 of the 7. The method of claim 5 wherein verifying comprises 

program was executed with the variable I equal to or greater checking whether the current value of the variable falls 

than two, the current value of I would be sent to the smart within a prescribed range. 

card 2. In general, it LS desirable to limit the number of times 20 8. The method of claim 1 wherein storing a signal 

the smart card 2 is called so as to maintain a fast execution comprises storing a signal indicating that the software 

time for the computer program. On the other hand, the more program was not altered in an unauthorized manner prior to 

frequently the computer program calls the smart card 2 and or during its execution. 

sends it information, the more reUable the certification wiU 9. A method of validating execution of a software program 
be. The frequency with which the computer program calls 25 comprismg: 

the smart card 2 can be tailored to the particular require- executing the software program on a computer; 

ments of the application. sending a value for a specified variable from the computer 

To further increase the likelihood that unauthorized tam- to a smart card during execution of the software pro- 

pering or alteration of the computer program will be gram; 

detected, all information sent between the computer 11 and verifying in the smart card that the value received from 

the smart card 2 can be encrypted according to known the computer is accurate or within an expected range; 

techniques. sending a control value from the smart card to the 

Additionally, in certain implementations, the microoon- computer in response to verifying the information 

troller 3 can be configured by a program in the smart card received from the computer and indicative of whether 

memory 4 to keep track of the number of times the software the software program is valid or invalid; 

program is executed by the computer 11 or the frequency continuing execution of the software program if the 

with which various routines in the program are called based control value indicates that the software program is 

on information sent to the smart card 2 while the program is valid. 

being executed. Such data can be stored in the smart card iq xhe method of claim 9 wherein the control value 

memory 5 and subsequently retrieved to-meter the usage of determines when subsequent infonnation will be sent from 

the computer program. Such metering would allow the the computer to the smart card during execution of the 

vendor of the software, for example, to charge consumers on software program. 

a per-use basis, rather than a flat fee for purchase of the n method of claim 9 of validating execution of a 

software. software program further comprising: 

Other implementations are contemplated within the scope terminating execution of the software program if the 

of the following claims. control value indicates the software program is invalid. 

What is claimed is: 12. The method of claim 1 further comprising sending 

1. Amethodofvalidating execution of a software program control values from the smart card to the computer in 
comprising: 50 response to verifying the information received from the 

executing the software program on a computer; computer, wherein the frequency with which the computer 

sending information from the computer to a smart card sends information to the smart card depends upon the 

during execution of the control values, 

software program including sending an identifier indica- '^^ ^^^^ ^ wherein sending information 

tive of a point in the 55 comprises sendmg mformaUon identifymg memory 

...... . ^ . addresses in the computer in which specified data is stored. 

software program at which the information was sent to the ^^ ^^^^ ^3 ^^^^^.^ ^^^^^^^^ comprises 

smart car , verifying whether the memory addresses are permissible 

verifying in the smart card that the mformation received memory locations for the specified data. 

from the computer satisfies a criteria indicative of the 15 -The method of claim 1 wherein sending information 

validity of the software program; and to the smart card occurs multiple times during execution of 

storing a signal in the smart card indicative of whether the software program in a particular order, and wherein 

execution of the software program is certified as valid. verifying comprises verifying that the order in which the 

2. The method of claim 1 of validating execution of a multiple occurrences takes place is correct. 

software program further comprising: ^5 16. The method of claim 1 wherein the software program 

if the software program has not finished executing and if comprises a plurality of routines each of which routines is 

the criteria indicative of the validity of the software called for during execution of the software program, and 
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wherein verifyiog comprises determining whether a fre- 26. A smart card for use in connection with execution of 

quency with which each of the routines is called is within a software program by a computer, the smart card compris- 

acceptable ranges. ing: 

17. A method of vaHdating execution of a software communication circuitry for receiving information from a 
program comprising: 5 location external to the smart card and for transmitting 

executing the software program on a computer; informaUon from the smart card to the external loca- 

sending information from the computer to a smart card ^ ■ ,^ . j . j . j . 

during execution of the software program; and «tof«« daU» a smart card program; and 

.-. .^ a microcontroller configured by the smart card program to 
venfymg in the smart card that a duration of Ume between ^^^^ information received from the computer during 
successive calls to the smart card by the computer execution of the software program and to cause a signal 
during execuuon of the software program is within ^o be stored in the memory, wherein the signal is 
acceptable ranges; and indicative of whether execution of the software pro- 
sending a control value from the smart card to the gram is certified as valid based on results of verifying 
computer in response to verifying the information the received information; 

received from the computer and indicative of whether wherein the information received from the computer 

the software program is valid or invalid; and comprises information identifying memory addresses 

continuing execution of the software program if the i° computer in which specified data is stored, and 

control value indicates that the software program is wherein the microcontroller is further configured to 

y^{[f^ verify whether the memory addresses are permissible 

18. The method of claim 1 of vaUdating execution of a '""'^"^ "P'f . 
software program flirther comprising: . T^^ "^^^ da.m 26 wherein the miciocon- 

^ , . r r T r I troller is configured to check whether a value of a vanable 

termmatmg execution of the software program if the received from the computer during execution of the software 

control value indicates the software program further. program is accurate 

19. The method of claim 1 wherein verifying comprises 25 28. The smart card of claim 26 wherein the micro con- 
performing a plurality of verification tests in response to the troller is configured to check whether a value of a variable 
information received from the computer, and wherein stor- received from the computer during execution of the software 
ing a signal comprises storing a signal indicating that the program falls within a pre.scribed range. 

software program was not improperly altered during its 29. The smart card of claim 26 wherein the signal stored 
execution only if all of the verification tests are satisfied. 30 in the memory indicates that the software program was not 

20. The method of claim 1 further comprising retrieving altered in an unauthorized manner prior to or during execu- 
from the smart card the signal indicative of whether execu- tion of the software program. 

tion of the software program is certified as valid. 30. The smart card of claim 26 wherein the microcon- 

21. A method of validating execution of a software droller is ftirther configured to send a control value to the 
program comprising: 35 computer. ^ . 

^. ^, r.^ , 31. The smart card of claim 30 wherein the microcon- 

executing the software program on a computer; . n ■ a j . ^ . • u *u *u 

^ ±' &• r > troller is configured to determine whether the software 

verifying in a smart card information received from the program responds correctly to the control value. 

computer during execution of the software program is 32. The smart card of claim 26 wherein the microcon- 
within an expected frequency; troller is configured to perform a plurality of verification 
generating a signal by the smart card indicative of ^° tests in response to the information received from the 
whether execution of the software program is certified computer, and wherein the microcontroller is further con- 
as valid based on the verifying step; and figured to cause a signal indicating that the software pro- 
sending control values indicating the vaHdity or invalidity gram was not improperly altered during its execution to be 
of the software program from the smart card to the stored in the memory only if all of the venfication tests are 

computer in response to verifying the information ^^il ^ ' , j 1- . • . • 

■jf.i. ^. 33. The smart card of claim 26 wherein the microcon- 

received from the computer. * n • n n j * 1 • 4* e 

.1. J f 1 ■ ii u ' • 1 ■ J- troller IS further configured to cause a signal indicative of 

22^ TTie method of claim 21 wherem the signal mdicative ^^^^^^^ ^^^^^^^ ^^^^^^ ^^^^^^^ ^^.^^^ 

of whether execuuon of the software program IS certified as ^^j-^ generated in response to a query generated 

valid IS generated after completion of the software program. externally to the smart card. 

23. The method of claim 21 of validating exacution of a 34 ^^^^^ ^^^^ ^^^^ 26 wherein the microcon- 
software program ftirther composing: ^^^^^^ ^^^^^^ configured to cause mformation indicative 

conUnuing execution of the software program base on the the number of times the software program has been 

control value. executed to be stored in the memory. 

24. A method of validating execution of a software 35 ^^^^ ^^^^ ^f claim 26 wherein the software 
program comprismg: program comprises a plurality of routines, and wherein the 

executing the software program on a computer; microcontroller is further configured to cause information 

sending a control value from a smart card to the computer: indicative of the frequency with which each of the routines 

sending information from the software program to the was called during execution of the software program to be 

computer in response to the control value; 60 stored in the memory, 

verifying in the smart card that the information received 36. A smart card for use in connection with execution of 

from the computer during execution of the software a software program by a computer, the smart card compris- 

program is a correct response to the control value. ing: 

25. The method of claim 24 wherein the control value communication circuitry for receiving info nnation from a 
determines when subsequent information will be sent from 65 location external to the smart card and for transmitting 
the computer to the smart card during execution of the information from the smart card to the external loca- 
software program, tion; 
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memory which stores data and a smart card program; and 
a microcontroller configured by the smart card program to 
verify information received from the computer during 
execution of the software program and to cause a signal 
to be stored in the memory, wherein the signal is 
indicative of whether execution of the software pro- 
gram is certified as valid based on results of verifying 
the received information; 
wherein the information received from the computer 
comprises a plurality of routines each of which routines 
is called by the software program during execution of 
the software program, and wherein the microcontroller 
is further configured to determine whether a frequency 
with which each of the routines was called is within 
acceptable ranges. 

37. A smart card for use in connection with execution of 
a software program by a computer, the smart card compris- 
ing: 

communication circuitry for receiving information from a 
location external to the smart card and for transmitting 
information from the smart card to the external loca- 
tion; 

memory which stores data and a smart card program; and 
a microcontroller configured by the smart card program to 
verify information received from the computer during 
execution of the software program and to cause a signal 
to be stored in the memory wherein the signal is 
indicative of whether execution of the software pro- 
gram is certified as valid based on results of verifying 
the received information; 
wherein the microcontroller is further configured to deter- 
mine whether a duration of time between successive 
calls to the smart card by the computer during execu- 
tion of the software program is within acceptable 
ranges. 

38. A software package for use on a computer system 
having 

a computer readable medium which stores a software 

program for execution by a computer and 
a smart card having 

communication circuitry for receiving information 
from a location external to the smart card and for 
transmitting information from the smart card to the 
external location, 
memory which stores data and a smart card program, 
and 

a microcontroller, the software package comprising 
logic to cause the smart card program to verify 
information received from the computer during 
execution of the software program and to cause a 
signal to be stored in the memory, wherein the signal 
is indicative of whether execution of the software 
program is certified as valid based on results of 
verifying the received information; 
wherein the information received from the computer 
comprises information identifying memory addresses 
in the computer in which specified data is stored, and 
wherein the microcontroller is fiu^ther configured lo 
verify whether the memory addresses arc permissible 
memory locations for the specified data. 

39. The software package of claim 38 further comprising 
logic to cause the microcontroller to check whether a value 
of a variable received from the computer during execution of 
the software program is accurate. 

40. The software package of claim 39 wherein the signal 
stored in the memory indicates that the software program 



18,270 Bl 

14 

was not altered in an unauthorized manner prior to or during 
execution of the software program. 

41. The software package of claim 38 further comprising 
logic to cause the microcontroller to check whether a value 

5 of a variable received from the computer during execution of 
the software program falls within a prescribed range. 

42. The software package of claim 38 further comprising 
logic to cause the inicrocontroller to send a control value to 
the computer. 

43. The software package of claim 42 further comprising 
logic to cause the microcontroller to determine whether the 
software program responds correctly to the control value. 

44. The software package of claim 38 wherein the infor- 
mation received from the computer comprises a plurality of 
routines each of which routines is called by the software 
program during execution of the software program, and 
further comprising logic to cause the microcontroller to 
determine whether a frequency with which each of the 
routines was called is within acceptable ranges. 

45. A software package for use on a computer system 
having 

a computer readable medium which stores a software 

program for execution by a computer, and 
a smart card having 
25 communication circuitry for receiving information 
from a location external to the smart card and for 
transmitting information from the smart card to the 
external location, 
memory which stores data and a smart card program, 
30 and 

a microcontroller, the software package comprising: 
logic to cause the microcontroller to verify information 
received from the computer during execution of the 
software program and to cause a signal to be stored in 
35 the memory, wherein the signal is indicative of whether 
execution of the software program is certified as vahd 
based on results of verifying the received information; 
and 

logic to cause the microcontroller to determine whether a 
40 duration of time between successive calls to the smart 
card by the computer during execution of the software 
program is within acceptable ranges. 

46. The software package of claim 38 further comprising 
logic to cause the microcontroller to perform a plurality of 

45 verification tests in response to the information received 
from the computer, and logic to cause the microcontroller to 
cause a signal indicating that the software program was not 
improperly altered during its execution to be stored in the 
memory only if all of the verification tests are satisfied. 

50 47. The software package of claim 38 further comprising 
logic to cause the microcontroller to cause a signal indica- 
tive of whether execution of the software program is certi- 
fied as valid to be generated in response to a query generated 
externally to the smart card. 

55 48. The software package of claim 38 further comprising 
logic to cause the microcontroller to cause information 
indicative of the number of times the software program has 
been executed to be stored in the memory, 

49. The software package of claim 38 wherein the soft- 

60 ware program comprises a plurahty of routines, and wherein 
the software package further comprises logic to cause the 
microcontroller to cause information indicative of the fre- 
quency with which each of the routines was called during 
execution of the software program to be stored in the 

65 memory. 

* ♦ * ♦ ♦ 
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